Snowflake Cortex Agent Security Risks

Data Engineering Agents snowflake.com Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (6) ATTACK SURFACE (5.78) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
5.08
High
Attack Surface
5.78
High
Blast Radius
5.5
High
Defense Controls
6
High
About The Agent

Snowflake Cortex is a cloud-hosted data engineering agent platform with a companion local CLI coding agent, both operating against the operator's Snowflake warehouse. The platform orchestrates text-to-SQL generation, unstructured search, and custom tool execution under Snowflake's role-based access model, while the CLI extends that authority to local bash commands, file system operations, and MCP-connected external tools. The key risk surface centers on the CLI agent's full shell access and the cloud agents' inheritance of the invoking role's warehouse-wide privileges.

About the AI Risk Quadrant

Exposed Giants placement reflects a moderate attack surface driven by a confirmed high-severity sandbox escape combined with a moderate blast radius where the invoking role's Snowflake privileges define the damage ceiling. Defense controls score above the floor thanks to documented sandboxing, an opt-in prompt injection shield, structured audit logging, and platform-level certifications, but the opt-in posture of guardrails and the default permission to fall back to unsandboxed execution prevent the agent from reaching the upper defense bands.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant risks concentrate in the CLI agent's tool execution surface, where a confirmed sandbox escape enabled full-chain data exfiltration, and in the cloud agents' inherited role privileges that expand blast radius beyond operator intent.

Key Input Risks
Untrusted content from third-party repositories, MCP servers, and web search results reaches the reasoning loop without a default prompt shield; the opt-in Cortex AI Guardrails must be activated at the account level before any injection detection takes effect. CVE-2026-6442 confirmed that a single injected instruction in a repository README could hijack the agent's behavior and bypass human approval. [1][2][7]
Key Execution Risks
The CLI agent executes bash commands and SQL queries with operator-level privileges, and the default sandbox configuration permits fallback to unsandboxed execution. CVE-2026-6442 demonstrated that a crafted prompt injection could escape the sandbox and execute arbitrary code on the host. [1][2]
Key Action Risks
Cloud-hosted Cortex Agents execute SQL queries under the invoking role's full Snowflake privileges with no per-query approval gate, turning over-scoped role access into autonomous data exposure. The CLI's three-tier approval can be bypassed via the Agent SDK's bypassPermissions mode. [3][6]
Key Output Risks
Output safety filtering via Cortex Guard and Cortex AI Guardrails is available but opt-in, leaving the default configuration without exfiltration blocking or systematic output validation. CVE-2026-6442 demonstrated that the agent could transmit stolen credentials and warehouse data to attacker-controlled infrastructure. [2][7]
Key Monitoring Risks
Immutable trace logging through AI Observability captures conversation history and tool execution spans, but anomaly detection and automated alerting are absent from the documented default. Grant SNOWFLAKE.AI_OBSERVABILITY_READER to a security role and query the AI_OBSERVABILITY_EVENTS table to begin building audit coverage. [11]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Snowflake Cortex sits in the middle bands with a confirmed tool-execution exploit driving the attack surface and vendor-documented controls that are available but not default-on.

AIRQ Metrics

Exposed Giants placement means the agent ships with capable tool access and moderate blast reach but relies on the operator to enable every significant defense layer, making pre-deployment hardening a prerequisite rather than an optional enhancement.

Each axis measures a different dimension of risk: attack surface and blast radius scale to ten, defense controls sum to fifteen, and the composite AIRQ score reflects the ratio of capability protection to exposure.

Metric Score Comments
AIRQ Score 5.08 Vendor-documented controls offset some tool-execution risk but the opt-in defense posture keeps the composite in the middle bands.
Blast Radius 5.5 / 10 Shell access and cached Snowflake credentials drive code-execution and credential blast while the platform's managed infrastructure limits deployment reach.
Attack Surface 5.78 / 10 A confirmed high-severity sandbox escape anchors the tool-execution surface while remaining surfaces stay in the moderate architectural bands.
Defense Controls 6 / 15 Sandboxing, prompt injection detection, output safety, and structured audit logging are all documented but require explicit opt-in or configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are the CLI agent's unvalidated ingestion of third-party repository content and its full shell execution surface, both confirmed exploitable via a single indirect prompt injection chain.

Attack Surface Metrics

Three surfaces carry evidence-adjusted scores at or near maximum while the remaining seven stay in the low-to-moderate architectural bands, reflecting the platform's split between the high-authority CLI and the more constrained cloud agents.

Each row ties a scored surface to the architectural condition observed in vendor documentation and, where applicable, to agent-specific vulnerability evidence.

Surface Score Comments
User Input 4 / 4 Multiple input channels including Snowsight, CLI, REST API, and Teams accept user prompts with opt-in guardrails only; CVE-2026-6442 confirmed indirect prompt injection via repository content. [1][7]
External Data 4 / 4 The CLI agent ingests third-party repository files, READMEs, and code without content validation; CVE-2026-6442 demonstrated that a poisoned README triggered a three-layer failure chain from injection through sandbox escape. [1][2][4]
Memory 2 / 4 Conversation history persists in local files for the CLI and in thread-based sessions for cloud agents with configurable zero data retention; no automated learning loops or integrity verification. [9]
Reasoning 2 / 4 Multi-step reasoning with visible thinking traces delegates to external LLMs via cross-region inference; no independent evidence confirms that the model-agnostic routing layer prevents reasoning-loop manipulation. [6]
Planning 2 / 4 Task planning with tool selection is user-visible in plan mode and constrained by Snowflake RBAC; text-to-SQL research demonstrates that prompt-steered query generation can leak data even under access controls. [5][6]
Tool Execution 5 / 4 Full bash and SQL execution with user-level privileges; CVE-2026-6442 (CVSS 8.3) demonstrated sandbox escape via process substitution, enabling credential theft and Snowflake data destruction. [1][2]
Orchestration 2 / 4 Multi-tool orchestration across Cortex Analyst, Search, and custom tools within a single supervised session; text-to-SQL queries execute under RBAC with no background scheduling documented. [6][14]
Inter-Agent 1 / 4 MCP protocol connects to external tools with vendor-managed message flow; no multi-agent delegation, cascade propagation, or inter-agent authentication documented. [9]
Output Processing 2 / 4 Rich output with Cortex Guard and AI Guardrails available for safety filtering, but both are opt-in; no default exfiltration blocking or URL sanitization documented for CLI outputs. [7]
Configuration 2 / 4 Settings files at user and project level control sandbox behavior and permission modes; the default allowUnsandboxedCommands setting permits fallback to host execution on approval. [8]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Snowflake Cortex reads untrusted repository content and web search results, accesses the operator's full warehouse data under the invoking role, and can transmit bytes through shell commands, MCP integrations, and web-connected tools without a default exfiltration control.

Lethal Trifecta · Complete (3 of 3)

Snowflake Cortex exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Repository files, MCP server outputs, and web search results inject untrusted content directly into the agent's context window with no runtime injection classifier active by default. [1][7]
  • Sensitive data — The invoking role's Snowflake privileges grant read access to warehouse tables, schemas, and cached authentication tokens on the local host, with vendor-documented data handling confined to the platform's governance perimeter. [3][6][10]
  • External egress — Unsandboxed shell commands, MCP-connected outputs, and the web search tool provide outbound channels that bypass the Snowflake governance boundary. [2][8]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Compromise of the CLI agent reaches the operator's host shell and cached Snowflake credentials, while compromise of a cloud agent reaches every table and schema the invoking role can query.

Blast Radius Metrics

Two factors reach the upper bands where host-level shell access and credential exposure define the damage ceiling, while the remaining four stay moderate or low reflecting the platform's managed infrastructure constraints.

Each row ties a scored blast factor to the specific capability the agent holds by default and the evidence that grounds the assessment.

Factor Score Comments
Code execution 3 / 4 The CLI agent runs bash with operator-level user privileges; CVE-2026-6442 confirmed arbitrary code execution outside the sandbox via process substitution. [1]
File system access 2 / 4 Sandbox restricts file access to the project directory by default but the configurable allowlist and unsandboxed fallback extend reach across the home directory; the demonstrated sandbox escape confirmed writes outside the restricted boundary. [1][8]
Network access 2 / 4 Sandbox domain restrictions can limit outbound access but the default configuration allows fallback to unrestricted host networking on approval. [8]
Credential access 3 / 4 The CLI caches Snowflake authentication tokens locally; CVE-2026-6442 demonstrated that these tokens could be harvested and used for warehouse-wide data exfiltration. [2]
Autonomous action 2 / 4 Cloud agents execute SQL under the invoking role's privileges with no per-query approval, amplified by the CORTEX_USER role granted to PUBLIC by default; the CLI supports approval gates but auto-allow mode is available. [6]
Deployment access 1 / 4 Agents can execute DDL statements with the invoking role's privileges but have no documented direct infrastructure modification, container deployment, or package publishing capability. [6]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Sandboxing, prompt injection detection, output safety filtering, and structured audit logging are all documented as vendor-provided capabilities, with 14 security bulletins confirming an active vulnerability response practice, but each defense requires explicit opt-in or configuration to activate. [15]

Defense Controls Metrics

The inverted scale shows that vendor-provided safeguards exist across all five components but none ships as a default-on enforcement, placing the defense score in the lower-middle range.

Each component reflects what the vendor documents as available at the default configuration, with the confidence tier reflecting vendor documentation without independent verification.

Component Score Comments
Input Guardrails 1 / 3 Cortex AI Guardrails provide prompt injection and jailbreak detection but require account-level opt-in via the AI_SETTINGS parameter; not enabled by default. [7]
Execution Isolation 1 / 3 OS-level sandbox (sandbox-exec, bubblewrap, restricted tokens) is available for the CLI but allowUnsandboxedCommands defaults to true, permitting host fallback. [8]
Action Controls 1 / 3 Three-tier approval system in the CLI with plan mode and manual approval; however, bypassPermissions mode exists in the SDK and cloud agents lack per-query gates. [6][9]
Output Guardrails 1 / 3 Cortex Guard and AI_REDACT provide output safety filtering and PII redaction, but both require explicit invocation; no default DLP for CLI outputs. [7][13]
Monitoring 2 / 3 Immutable AI Observability event table captures conversation history and tool execution traces with role-based access, but no automated anomaly detection or alerting is documented. [11]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. The highest-leverage changes are enabling Cortex AI Guardrails at the account level, setting allowUnsandboxedCommands to false, and scoping agent roles to least-privilege Snowflake access.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require Cortex AI Guardrails activation as a precondition for any Cortex deployment in production environments — counters User Input and External Data at elevated risk with no default prompt shield.
  • Configuration Enable Cortex AI Guardrails via the AI_SETTINGS account parameter to activate runtime prompt injection and jailbreak detection across all Cortex surfaces — counters the opt-in default posture.
  • Engineering Deploy a DeBERTa-based prompt injection classifier in Snowpark Container Services as a pre-processing layer for all agent inputs — counters the absence of default ML-based injection detection.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate sandbox-enabled CLI configurations in organizational deployment guides and block unsandboxed execution through policy enforcement — counters Execution Isolation at the lowest effective band.
  • Configuration Set allowUnsandboxedCommands to false in the user-level settings file to prevent the sandbox fallback to host execution — counters the default path that enabled the CVE-2026-6442 attack chain.
  • Engineering Build a container-based wrapper for Cortex Code CLI sessions that enforces network egress restrictions at the container boundary — counters the OS-level sandbox limitations on network control.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require plan mode for all Cortex Code sessions and prohibit bypassPermissions usage in production Agent SDK deployments — counters Action Controls weakness from auto-allow and bypass modes.
  • Configuration Configure Cortex Agent roles with least-privilege Snowflake RBAC scoped to specific databases and schemas rather than broad warehouse access — counters the identity blast radius documented for cloud agents.
  • Engineering Implement canUseTool callbacks in Agent SDK deployments that enforce allowlists for SELECT-only SQL and block CREATE, DROP, ALTER, and GRANT statements by default — counters the absence of per-query approval gates in cloud agents.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require Cortex Guard invocation for all agent-generated outputs in production applications — counters Output Guardrails at the lowest effective band with opt-in safety filtering.
  • Configuration Configure AI_REDACT policies for sensitive data patterns across all Cortex-accessible tables to prevent credential and PII leakage in agent outputs — counters the absence of default DLP.
  • Engineering Build an output validation layer that inspects agent responses for credential patterns and blocks outbound data matching sensitive classification before delivery — counters the demonstrated credential exfiltration path.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Establish a mandatory audit review cadence for AI Observability events and integrate Trust Center security posture findings into agent deployment approval workflows — counters Monitoring with no automated alerting. [12]
  • Configuration Grant SNOWFLAKE.AI_OBSERVABILITY_READER and READ UNREDACTED AI OBSERVABILITY EVENTS TABLE to a dedicated security role for comprehensive agent audit access — counters the default metadata-only visibility.
  • Engineering Build automated alerting on the AI_OBSERVABILITY_EVENTS table using Snowflake tasks and notifications to detect anomalous tool execution patterns in real time — counters the absence of native anomaly detection.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2026-6442 Sandbox escape via improper bash command validation in Cortex Code CLI versions prior to 1.0.25 (CVSS 8.3). Attacker-crafted repository content caused arbitrary code execution outside the sandbox without user consent. Patched in 1.0.25 with automatic update.
  2. PromptArmor Cortex Code Disclosure Responsible disclosure demonstrating the full CVE-2026-6442 attack chain: indirect prompt injection via repository README, human-in-the-loop bypass, sandbox escape, credential theft from cached Snowflake tokens, and warehouse data exfiltration and destruction with approximately 50 percent attack efficacy.

Selected Research

  1. Cortex Agents Identity Blast Radius Analysis P0 Security analysis documenting that Cortex agents inherit the full privileges of the invoking Snowflake role, turning over-scoped access into autonomous data exposure when combined with prompt injection or MCP-connected outputs.
  2. Cortex Code README Prompt Injection Analysis Architectural analysis of the CVE-2026-6442 attack chain documenting the three-layer failure pattern: indirect prompt injection, human-in-the-loop bypass, and sandbox escape that enabled full Snowflake database compromise.
  3. SecureSQL Data Leakage Benchmark EMNLP 2024 Findings benchmark evaluating data leakage risks in LLM-powered natural language interfaces to databases through prompt injection and inference attacks, applicable to text-to-SQL agent architectures.

Vendor Documentation

  1. Cortex Agents Documentation Vendor documentation for Cortex Agents covering tool orchestration across Analyst, Search, and custom tools, RBAC integration, API authentication, and the role-based privilege model that agents inherit.
  2. Cortex AI Guardrails Documentation for the opt-in prompt injection detection and jailbreak prevention system that uses contextual reasoning to detect adversarial threats, enabled via the AI_SETTINGS account parameter.
  3. Cortex Code CLI Sandbox Documentation for the OS-level sandbox implementation covering filesystem restrictions, network domain allowlists, permission modes, and the allowUnsandboxedCommands fallback setting.
  4. Cortex Code Overview Product overview documenting the CLI and Snowsight interfaces, tool orchestration capabilities, MCP support, three-tier approval system, and Snowflake RBAC integration.
  5. Snowflake AI Trust and Safety Vendor commitment page confirming that customer inputs and outputs remain within the Snowflake Security Boundary and are not used to train models available to other customers.
  6. Cortex Agent Monitoring Documentation for the immutable AI Observability event table that captures conversation history, planning traces, tool execution spans, and role-based access controls for agent audit data.
  7. Snowflake Trust Center Documentation for the account-level security posture scanning system that evaluates Snowflake accounts against security recommendations and surfaces violations and detections.

Other Sources

  1. Snowflake Security Hub Platform-level security capabilities overview covering Cortex Guard, layered RBAC, Trust Center integration, HackerOne bug bounty program, and encryption model.
  2. Cortex Analyst Documentation Documentation for the text-to-SQL service describing semantic model integration, RBAC-enforced query execution within Snowflake governance boundary, and model-level access control.
  3. Snowflake Security Bulletins Vendor security advisories page listing 14 bulletins for Snowflake connectors and components including remediation guidance and affected version ranges.